Companies House website security 'a bit of a mess'

Nerve centre of British business open to scams

Serious security holes in the website of Companies House - the UK database of corporate information - have exposed sensitive data and create the risk of corporate identity theft, security consultants warn.

The UK government agency maintains that alleged security flaws identified by researcher Paul Moore are either in the process of being fixed or not worthy of serious concern. A spokesman initially told El Reg that issues first highlighted in a blog post last month by Moore were "nothing we weren't aware of already". He added that most of the information held by Companies House was public information.

Moore strongly disputes this. His blog post covers a litany of alleged security problems but he said that three were particularly pressing. Firstly comes the ability to login as any company (WebCheck/WebFiling) without a username/password. Moore is also highly critical of the "poor SSL implementation" on the site. Lastly he charged Companies House with failing to put the site through adequate penetration testing, a security evaluation procedure commonly used across the industry as a means to pick up on security problems before they are exploited by hackers.

Moore first highlighted concerns about the Companies House website more than a month ago. He updated his warnings on with a video highlighting the alleged vulnerabilities to the site, and the potential impact of these disputed security flaws.

These flaws open the door to corporate identity theft, he warns. Companies House strongly disputes but an independent security expert asked by El Reg to review arguments on both sides said there are reasonable grounds for concern.

"Based upon the information in the video and the reply you received from Companies House, it is a bit of a mess," Chester Wisniewski, a senior security advisor at Sophos Canada, told El Reg.

"The techniques outlined by [Moore] are certainly not things I expect the average internet user to understand, but they are also not in the category of rocket science. These flaws are not likely to be unknown and anyone with basic penetration testing skills could easily uncover them. We should expect and demand better of our government and those we entrust with our reputations."

Wisniewski, who added the caveat that he hadn't created the accounts necessary to personally verify Moore's claims, concluded that although "by no means are these issues catastrophic", but nonetheless "they should be resolved".

"It is appropriate to pressure Companies House about why they are inconsistent in their use of SSL, strange password limitations and insecure password reset policies," he added.

Corporate ID theft is an infrequent though not unprecedented scam. Several years ago, for example, UK firms were urged to be on their guard against a then-emerging scam which specifically targeted the Companies House database. The scam was based on changing the registered office of a limited company before ordering goods and services and disappearing before any invoice came up for payment leaving the hijacked firm holding the can.

Fraud detection firm Early Warning told us at the time that three companies (a Kent property company, an antique dealer and flooring company, both in London) had fallen victim to the scam.

Fraudsters used the same scam to hijack the identity of a firm owned by billionaire businessman Philip Green in September 2005.

This was seven years ago and doubtless procedures have been applied to block that particular ruse, as evidenced by the lack of other corporate victims since. However the reappearance of similar scams using different techniques calls for constant vigilance.

Pass-time

Moore began investigating problems on the Companies House site after requesting a password reset and receiving a plain text password reminder by return of email. It's well known in the security industry that this is slipshod practice and recent problems involving retail giant Tesco brought the issue to wider attention. Some pointers on best practice for password resets can be found here.

After receiving an inadequate response to this issue, Moore dived deeper, discovering a myriad of problems in the process.

That was in early October and although over the subsequent weeks Companies House managed to fix XSS (Cross Site Scripting) and XSRF/CSRF (Cross Site Request Forgery) its fix for the password reset issue was itself problematic, according to Moore.

“Companies House no longer send password reminders; instead opting for a more secure technique whereby passwords can be reset using a token sent to the user’s email address," Moore explained. "In this context, the token should be considered a temporary replacement password, as anyone in possession of it can gain access to the account."

"As such, it should also be securely hashed (or encrypted at least) to prevent unauthorised use. In order to maintain security, the token should expire immediately after use and within an appropriate time frame (90 minutes in this instance), again to prevent unauthorised use."

Moore said that the first attempt to remedy the situation only made matters worse.

"Previously, if your email/backups were intercepted, your password would be visible in plain text," he explained. "That’s clearly a serious risk, but one which can be mitigated by changing your password and securing your inbox. Assuming the hacker hasn’t tampered with the account profile (email address for example) the security of the account should now be restored."

"Following the changes however, the user’s information/company is still at risk even after the password has been changed and the inbox has been secured. The token doesn’t actually expire, despite the system telling you it had," he added.

Moore also argues that SSL setup of the Companies House (CH) website is flawed. He said that although most of the information in WebCheck is publicly available (apart from the personal details used to register) the WebFiling system that allows companies to file returns, accounts, add directors/shares etc) is also vulnerable.

"I don't think it's sunk in yet," he said.

Checks on the secure Companies House WebFiling page using GlobalSign's SSL Configuration Checker, developed using the assessment technology of Qualys SSL Labs, grade the website at a "C". This is a passing grade but one which shows scope for improvement, as illustrated by the results of the publicly available test.

Moore has engaged in extended dialogue with developers and others at Companies House in an attempt to get the alleged vulnerabilities fixed. Although a professional security consultant he said that he acted only as a concerned citizen and business owner and was not seeking to get work from Companies House.

Taken together the alleged failings suggest shortcomings in the web development and testing process at the government agency.

Days after Moore published his video, in response to a request for comment by The Register, a Companies House spokesman supplied us with an updated statement.

I would reiterate that nothing that was raised by Mr Moore was not already known to us and, where necessary, actions were in train to address matters. Indeed a number of issues have been definitively addressed since we last corresponded. A number of assumptions were made without knowledge of our infrastructure or additional security controls.

We would not wish to discuss these in any public forum for obvious reasons but it remains the case, as we have stated on a number of occasions, that we do take security seriously and any issues raised by customers or other sources are examined and necessary mitigation put in place. This is not just a trite phrase but a matter all public agencies take seriously.

Companies House provides services that allow limited companies in the UK to be either incorporated or dissolved. It also stores company information delivered under the Companies Act and related legislation, such as accounts, and makes this information available to the public. ®